Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.2 9/17/84; site opus.UUCP
Path: utzoo!watmath!clyde!burl!ulysses!allegra!mit-eddie!think!harvard!seismo!hao!nbires!opus!atkins
From: atkins@opus.UUCP (Brian Atkins)
Newsgroups: net.flame,net.bugs.4bsd
Subject: YARB (yet another rexec bug!)
Message-ID: <1204@opus.UUCP>
Date: Thu, 16-May-85 16:44:44 EDT
Article-I.D.: opus.1204
Posted: Thu May 16 16:44:44 1985
Date-Received: Sat, 18-May-85 23:35:54 EDT
Distribution: net
Organization: NBI,Inc, Boulder CO
Lines: 56
Xref: watmath net.flame:9972 net.bugs.4bsd:1528


	In rexecd.c there is an off-by-one error in getstr.
strings can only by n-1 characters long where n is the size of the buffer
passed into getstr.  
***************************************************************

getstr(buf, cnt, err)
	char *buf;
	int cnt;
	char *err;
{
	char c;

	do {
		if (read(0, &c, 1) != 1)
			exit(1);
		*buf++ = c;
		if (--cnt == 0) {		<*** craps out on nth char
			error("%s too long\n", err);
			exit(1);
		}
	} while (c != 0);
}

***************************************************************
Here is a fix, simple as it is.
***************************************************************

getstr(buf2, cnt, err)
	char *buf2;
	int cnt;
	char *err;
{
	char c, *buf;

	buf = buf2;
	do {
		if (cnt-- == 0) {
			printf("%s too long\n", err);
			exit(1);
		}
		if (read(0, &c, 1) != 1)
			exit(1);
		*buf++ = c;
	} while (c != 0);
}

***************************************************************

[FLAME ON (for those of you in net.bugs)]
Let me ask, one again, WHO WRITES THIS CRAP!!!!!!!!!!!!!!!!!!

More importantly, what punishment has been given!

Brian Atkins   ...{attunix, hao, allegra, ucbvax}!nbires!atkins
NBI Inc., P.O. Box 9001, Boulder CO 80301	(303) 444-5710